Leaked info of 122 million linked to B2B data aggregator breach

The business contact information for 122 million people circulating since February 2024 is now confirmed to have been stolen from a B2B demand generation platform.

The data comes from DemandScience (formerly Pure Incubation), a B2B demand generation company that aggregates data.

Data aggregation is the process of collecting, compiling, and organizing data from public sources to create a comprehensive dataset valuable for digital marketers and advertisers in creating rich “profiles” used to generate leads or marketing information.

In the case of DemandScience, the firm collected business data from public sources and third parties, including full names, physical addresses, email addresses, telephone numbers, job titles and functions, and social media links.

In February 2024, a threat actor named ‘KryptonZambie’’ began selling 132.8 million records on BreachForums, claiming they were stolen from an exposed system belonging to Pure Incubation.

At the time, BleepingComputer contacted DemandScience about the allegedly stolen data and was told there was no evidence of a breach. A follow-up email asking if the leaked data samples belonged to DemandScience went unanswered.

“Based on the post you forwarded from a black hat hacking crime forum, we immediately activated our security and incident response protocols,” Derek Beckwith, a Senior Director of Corporate Communications, told BleepingComputer.

“All our systems are 100% operational, and we have not found any indication that a hack or breach to any of our systems or data has occurred (all are secured behind firewall/VPN access/Access control/intrusion detection systems). We are continuing to monitor the situation, so it would not be appropriate to expand further at this point.”

Fast foward to August 15, 2024, and KryptonZambie made the dataset available for 8 credits, which corresponds to only a few dollars, essentially leaking the data for free.

Today, Troy Hunt published a blog post confirming that the data is authentic, stating someone exposed in the leak contacted DemandScience and was told that the leaked data originated from a system that had been decommissioned two years ago.

“Regarding the matter referenced in your email, we have conducted a thorough internal investigation and conclude that none of our current operational systems were exploited,” reads an email from DemandScience.

“We also conclude that the leaked data originated from a system that has been decommissioned for approximately two years.”

Hunt confirmed other people’s data in the leak, including his own record, which contained data from when he worked at Pfizer.

All 122 million unique email addresses from the stolen dataset have now been added to Have I Been Pwned, and exposed subscribers will receive notifications about the breach.